app: aboot: check splash buffer size for overflow
Check splash buffer size for overflow before loading splash image
from emmc or flash.
Change-Id: Iff3e5ff8ba0033340f61b262d6a53adb11add7ce
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index be347ce..dce379e 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -3671,6 +3671,17 @@
}
uint8_t *base = (uint8_t *) fb_display->base;
+ uint32_t fb_size = ROUNDUP(fb_display->width *
+ fb_display->height *
+ (fb_display->bpp / 8), 4096);
+ uint32_t splash_size = ((((header->width * header->height *
+ fb_display->bpp/8) + 511) >> 9) << 9);
+
+ if (splash_size > fb_size) {
+ dprintf(CRITICAL, "ERROR: Splash image size invalid\n");
+ return -1;
+ }
+
if (flash_read(ptn + LOGO_IMG_HEADER_SIZE, 0,
(uint32_t *)base,
((((header->width * header->height * fb_display->bpp/8) + 511) >> 9) << 9))) {
@@ -3744,6 +3755,15 @@
|| (header->height != fb_display->height))
fbcon_clear();
+ uint32_t fb_size = ROUNDUP(fb_display->width *
+ fb_display->height *
+ (fb_display->bpp / 8), 4096);
+
+ if (readsize > fb_size) {
+ dprintf(CRITICAL, "ERROR: Splash image size invalid\n");
+ return -1;
+ }
+
if (mmc_read(ptn + blocksize, (uint32_t *)(base + blocksize), readsize)) {
dprintf(CRITICAL, "ERROR: Cannot read splash image from partition\n");
return -1;